Wireguard Full Tunnel not working

[CJ]

I followed the steps in the documentation and I have WireGuard up and running.  https://docs.opnsense.org/manual/how-tos/wireguard-client.html

However, I can only reach internal resources.  Nothing on the internet.  I did step 2c and added the interface rule along with setting AllowedIPs to 0.0.0.0/0 on the client but I still can't get out to the internet.

The weirdest part is that I can see my device making DNS queries to OPNSense and I can see the occasional 443 traffic being passed but nothing on my device works.  Additionally, I don't see any blocked entries in the firewall logs.

Any ideas where to look for the next steps?  While a split tunnel is useful, I want to be able to fully tunnel all of my traffic across the VPN.

Thanks.

[chemlud]

Trace your traffic an the various interfaces involved and have a look where it stops (or the replies, maybe?). Nobody can debug this on a forum without knowing how your network is configured...

[CJ]

That's what I'm trying to do.  I'm just confused as to why I'm seeing entries in the logs for traffic being passed when it doesn't seem to be and I'm not seeing entries for blocked traffic.

Also, I just realized that doing a split tunnel doesn't work either.

I'm seeing entries in the firewall logs showing that traffic is being passed to Unbound but Chrome gives me a DNS_PROBE_FINISHED_BAD_CONFIG error.  Looking in the Unbound logs there doesn't seem to be anything relating to my WG client.

[chemlud]

do package capture on the interfaces involved. for wg it won't work on the GUI afaik...

[CJ]

Apparently the problem was Unbound.  It was refusing queries and restarting it fixed it.  Not sure why considering I had restarted the whole server when I applied the update.

[CJ]

And it happened again.  Unbound stopped serving DNS to my WG clients until I restarted it.

[CJ]

And again.

[xpendable]

I believe this is because the unbound service initializes before the wireguard service, try manually adding an access list in unbound for your wireguard subnet.

Unbound DNS -> Access Lists

This solved the same/similar issue for me.

[CJ]

I believe this is because the unbound service initializes before the wireguard service, try manually adding an access list in unbound for your wireguard subnet.

Unbound DNS -> Access Lists

This solved the same/similar issue for me.

I'll give that a try, but why would it stop working after a time period?  The machine hasn't been rebooted and I've connected and disconnected multiple times.

[5SpeedFun]

I had issues on this until I had unbound listening on a loopback interface.  Are you listening on a local interface or a loopback?

[CJ]

Unbound listens on all interfaces.